diff --git a/adm/sms_admin/form_write.php b/adm/sms_admin/form_write.php
index 603bd2c03..a8a8816cd 100644
--- a/adm/sms_admin/form_write.php
+++ b/adm/sms_admin/form_write.php
@@ -145,7 +145,7 @@ include_once(G5_ADMIN_PATH.'/admin.head.php');
     </div>
     <div class="btn_confirm01 btn_confirm">
         <input type="submit" value="확인" class="btn_submit" accesskey="s">
-        <a href="./form_list.php?<?php echo $_SERVER['QUERY_STRING']?>">목록</a>
+        <a href="./form_list.php?<?php echo clean_query_string($_SERVER['QUERY_STRING']); ?>">목록</a>
     </div>
 </form>
 
diff --git a/adm/sms_admin/num_book.php b/adm/sms_admin/num_book.php
index 1e31e18b5..9813ea938 100644
--- a/adm/sms_admin/num_book.php
+++ b/adm/sms_admin/num_book.php
@@ -142,7 +142,7 @@ function no_hp_click(val)
 <input type="hidden" name="token" value="<?php echo $token; ?>">
 <input type="hidden" name="sw" value="">
 <input type="hidden" name="atype" value="del">
-<input type="hidden" name="str_query" value="<?php echo $_SERVER['QUERY_STRING']?>" >
+<input type="hidden" name="str_query" value="<?php echo clean_query_string($_SERVER['QUERY_STRING']); ?>" >
 
 <div class="tbl_head01 tbl_wrap">
     <table>
diff --git a/adm/sms_admin/num_book_write.php b/adm/sms_admin/num_book_write.php
index 7bfe367c5..68bf45bbd 100644
--- a/adm/sms_admin/num_book_write.php
+++ b/adm/sms_admin/num_book_write.php
@@ -130,7 +130,7 @@ include_once(G5_ADMIN_PATH."/admin.head.php");
 
 <div class="btn_confirm01 btn_confirm">
     <input type="submit" value="확인" class="btn_submit" accesskey="s" onclick="return book_submit();">
-    <a href="./num_book.php?<?php echo $_SERVER['QUERY_STRING']?>">목록</a>
+    <a href="./num_book.php?<?php echo clean_query_string($_SERVER['QUERY_STRING']); ?>">목록</a>
 </div>
 
 </form>
diff --git a/bbs/download.php b/bbs/download.php
index e83a21e69..c94923db0 100644
--- a/bbs/download.php
+++ b/bbs/download.php
@@ -25,8 +25,8 @@ if (!$file['bf_file'])
 // JavaScript 불가일 때
 if($js != 'on' && $board['bo_download_point'] < 0) {
     $msg = $file['bf_source'].' 파일을 다운로드 하시면 포인트가 차감('.number_format($board['bo_download_point']).'점)됩니다.\\n포인트는 게시물당 한번만 차감되며 다음에 다시 다운로드 하셔도 중복하여 차감하지 않습니다.\\n그래도 다운로드 하시겠습니까?';
-    $url1 = G5_BBS_URL.'/download.php?'.$_SERVER['QUERY_STRING'].'&amp;js=on';
-    $url2 = $_SERVER['HTTP_REFERER'];
+    $url1 = G5_BBS_URL.'/download.php?'.clean_query_string($_SERVER['QUERY_STRING']).'&amp;js=on';
+    $url2 = clean_xss_tags($_SERVER['HTTP_REFERER']);
 
     //$url1 = 확인link, $url2=취소link
     // 특정주소로 이동시키려면 $url3 이용
diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php
index d55c6d14a..e3f1e9ab6 100644
--- a/bbs/member_confirm.php
+++ b/bbs/member_confirm.php
@@ -16,12 +16,8 @@ include_once('./_head.sub.php');
 
 $url = $_GET['url'];
 
-$p = parse_url($url);
-if ((isset($p['scheme']) && $p['scheme']) || (isset($p['host']) && $p['host'])) {
-    //print_r2($p);
-    if ($p['host'].(isset($p['port']) ? ':'.$p['port'] : '') != $_SERVER['HTTP_HOST'])
-        alert('url에 타 도메인을 지정할 수 없습니다.');
-}
+// url 체크
+check_url_host($url);
 
 include_once($member_skin_path.'/member_confirm.skin.php');
 
diff --git a/config.php b/config.php
index eb5140099..613073dbb 100644
--- a/config.php
+++ b/config.php
@@ -5,7 +5,7 @@
 ********************/
 
 define('G5_VERSION', '그누보드5');
-define('G5_GNUBOARD_VER', '5.0.35');
+define('G5_GNUBOARD_VER', '5.0.36');
 
 // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음
 define('_GNUBOARD_', true);
diff --git a/lib/common.lib.php b/lib/common.lib.php
index cf28863a3..5ee99b547 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -2869,4 +2869,88 @@ function check_url_host($url, $msg='', $return_url=G5_URL)
         }
     }
 }
+
+// QUERY STRING 에 포함된 XSS 태그 제거
+function clean_query_string($query, $amp=true)
+{
+    $qstr = trim($query);
+
+    parse_str($qstr, $out);
+
+    if(is_array($out)) {
+        $q = array();
+
+        foreach($out as $key=>$val) {
+            $key = trim($key);
+            $val = trim($val);
+
+            switch($key) {
+                case 'wr_id':
+                    $val = (int)preg_replace('/[^0-9]/', '', $val);
+                    $q[$key] = $val;
+                    break;
+                case 'sca':
+                    $val = clean_xss_tags($val);
+                    $q[$key] = $val;
+                    break;
+                case 'sfl':
+                    $val = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $val);
+                    $q[$key] = $val;
+                    break;
+                case 'stx':
+                    $val = get_search_string($val);
+                    $q[$key] = $val;
+                    break;
+                case 'sst':
+                    $val = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $val);
+                    $q[$key] = $val;
+                    break;
+                case 'sod':
+                    $val = preg_match("/^(asc|desc)$/i", $val) ? $val : '';
+                    $q[$key] = $val;
+                    break;
+                case 'sop':
+                    $val = preg_match("/^(or|and)$/i", $val) ? $val : '';
+                    $q[$key] = $val;
+                    break;
+                case 'spt':
+                    $val = (int)preg_replace('/[^0-9]/', '', $val);
+                    $q[$key] = $val;
+                    break;
+                case 'page':
+                    $val = (int)preg_replace('/[^0-9]/', '', $val);
+                    $q[$key] = $val;
+                    break;
+                case 'w':
+                    $val = substr($val, 0, 2);
+                    $q[$key] = $val;
+                    break;
+                case 'bo_table':
+                    $val = preg_replace('/[^a-z0-9_]/i', '', $val);
+                    $val = substr($val, 0, 20);
+                    $q[$key] = $val;
+                    break;
+                case 'gr_id':
+                    $val = preg_replace('/[^a-z0-9_]/i', '', $val);
+                    $q[$key] = $val;
+                    break;
+                default:
+                    $val = clean_xss_tags($val);
+                    $q[$key] = $val;
+                    break;
+            }
+        }
+
+        if($amp)
+            $sep = '&amp;';
+        else
+            $sep ='&';
+
+        $str = http_build_query($q, '', $sep);
+    } else {
+        $str = clean_xss_tags($qstr);
+    }
+
+    return $str;
+}
 ?>
\ No newline at end of file
diff --git a/mobile/skin/board/basic/view_comment.skin.php b/mobile/skin/board/basic/view_comment.skin.php
index d3aa7fe05..c6984f652 100644
--- a/mobile/skin/board/basic/view_comment.skin.php
+++ b/mobile/skin/board/basic/view_comment.skin.php
@@ -50,7 +50,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
         <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>
 
         <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
                 $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
diff --git a/mobile/skin/board/gallery/view_comment.skin.php b/mobile/skin/board/gallery/view_comment.skin.php
index d3aa7fe05..c6984f652 100644
--- a/mobile/skin/board/gallery/view_comment.skin.php
+++ b/mobile/skin/board/gallery/view_comment.skin.php
@@ -50,7 +50,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
         <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>
 
         <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
                 $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
diff --git a/mobile/skin/member/basic/member_confirm.skin.php b/mobile/skin/member/basic/member_confirm.skin.php
index 467b801e0..76978b193 100644
--- a/mobile/skin/member/basic/member_confirm.skin.php
+++ b/mobile/skin/member/basic/member_confirm.skin.php
@@ -10,7 +10,11 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
 
     <p>
         <strong>비밀번호를 한번 더 입력해주세요.</strong>
+        <?php if ($url == 'member_leave.php') { ?>
+        비밀번호를 입력하시면 회원탈퇴가 완료됩니다.
+        <?php }else{ ?>
         회원님의 정보를 안전하게 보호하기 위해 비밀번호를 한번 더 확인합니다.
+        <?php }  ?>
     </p>
 
     <form name="fmemberconfirm" action="<?php echo $url ?>" onsubmit="return fmemberconfirm_submit(this);" method="post">
diff --git a/skin/board/basic/view_comment.skin.php b/skin/board/basic/view_comment.skin.php
index 1d4514dd2..cea2d1c63 100644
--- a/skin/board/basic/view_comment.skin.php
+++ b/skin/board/basic/view_comment.skin.php
@@ -56,7 +56,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
         <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>
 
         <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
                 $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
diff --git a/skin/board/gallery/view_comment.skin.php b/skin/board/gallery/view_comment.skin.php
index a74a0fa76..c701f0112 100644
--- a/skin/board/gallery/view_comment.skin.php
+++ b/skin/board/gallery/view_comment.skin.php
@@ -56,7 +56,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
         <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>
 
         <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
                 $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";